a869136ca1d7fe2df2d6e8b0dcce2e72d1879c9d02c09114eff3f50abc4ce430

Analysis

max time kernel
171s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

728cdc19d2719172c585821ae0f039f0.exe
Size

209KB
MD5

728cdc19d2719172c585821ae0f039f0
SHA1

5c033f9c3c0aecf4cdeb16b866f7449c3ca15841
SHA256

a869136ca1d7fe2df2d6e8b0dcce2e72d1879c9d02c09114eff3f50abc4ce430
SHA512

9af605752ddaac8b14b56d18dea1241aefcb7bd0b49692464212d073a6f229ded20781593aad75c9f3bc606cc23b186d1e6be9b5139e71d1cf10db0658b81314
SSDEEP

3072:glhg7vQsqRjP6wslpFZ/hWoasvzFjH9KLVAhXIrEnZDXOuVJJ11FgiCCmRG1fxRr:gl2zbMpsvzFjH8LOhfhBVJJxtCr01fq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3608	u.dll
4544	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2528	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 4788	1508	728cdc19d2719172c585821ae0f039f0.exe	93
PID 1508 wrote to memory of 4788	1508	728cdc19d2719172c585821ae0f039f0.exe	93
PID 1508 wrote to memory of 4788	1508	728cdc19d2719172c585821ae0f039f0.exe	93
PID 4788 wrote to memory of 3608	4788	cmd.exe	94
PID 4788 wrote to memory of 3608	4788	cmd.exe	94
PID 4788 wrote to memory of 3608	4788	cmd.exe	94
PID 3608 wrote to memory of 4544	3608	u.dll	95
PID 3608 wrote to memory of 4544	3608	u.dll	95
PID 3608 wrote to memory of 4544	3608	u.dll	95
PID 4788 wrote to memory of 2720	4788	cmd.exe	96
PID 4788 wrote to memory of 2720	4788	cmd.exe	96
PID 4788 wrote to memory of 2720	4788	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\728cdc19d2719172c585821ae0f039f0.exe
"C:\Users\Admin\AppData\Local\Temp\728cdc19d2719172c585821ae0f039f0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F453.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 728cdc19d2719172c585821ae0f039f0.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\F925.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\F925.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeF926.tmp"
      4⤵
      Executes dropped EXE
      PID:4544
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2720

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F453.tmp\vir.bat

Filesize
2KB

MD5
8cbc032921e1388bad78100e06ca5b3b

SHA1
072d4c08e1ca1c4ff64becd227646b3106e350b4

SHA256
3bc84a05f572f708b736f815f1d6768ce524e2ec20befd746491317ef0948714

SHA512
ddb67c6f9b29ea639599cc15393357eadeb0f6f06432a32d82a33b12c9a9ed7f0e2f1e25c5ff281a65737b66ca615a126ea436ebd2d56ad50030c026b550a3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F925.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeF926.tmp

Filesize
41KB

MD5
27d3171f8fbf513154d6e5b3001ed440

SHA1
2d110288c903d12c83168dcd1c2f72007d011885

SHA256
b33fa59131d327610feefc08274f13d96a755c41f914fd0d5a3b6c8ae3ad39b1

SHA512
e62784259796d637bcfd6e55b68df1baaf8ca1894ec70adc359d6833dd60af27b2ab700d81e6aec3a5163669d96c612ea9250165bb5c630fcf18e68d8749d87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mprFCAF.tmp

Filesize
24KB

MD5
9882873d2dc36538299ba953c381625a

SHA1
239d82e6d77f3e8c491760e8336d4d597e0c2709

SHA256
65dc1fee069123b4f851cfe6ec54dbc4e1195b8e8de4064099d526daf5dd2646

SHA512
d93314b182be7c9b2828762213d5ae122cfc21ab91591d1013b43ee4aeaaa36b9e8989229cded20c3e820634ecbd4293c9ee292b178675d2864983cda2bf27ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
e6e9eea8477a9cc23e4cf34876f54b3d

SHA1
614155afe905c2372ec85626af490047624037c3

SHA256
4da245e3bdd01f62fe761abeb4bf0667e08e429baa199d95fe8a7340ec5cfa0b

SHA512
c8409e10b60d7a5fefda1e55bb46df2f4c06f96a9e28257680caacfa51b33f6b8a1b6ba50e200afc3fc289db6e26f0bff05c71915cc2cb39d2f99f1eddbb716c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
7ff6ab1f513e193892697cfb0841de1b

SHA1
43cce225f508e696afcb53b3c855cf9750220cbe

SHA256
4514ffd251e234d643b9f07741960e162ddec27823d28b2c449bea0b473e81a2

SHA512
ce4e936087ce2ffe2f6a34424ede837447b67776a45677c99d628c190d0c5e5963a669b2d59e7fe283c338bbf2757564dc7e0ee3da9bf68f21c35634b0f640db

Download Submit
memory/1508-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1508-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1508-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4544-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads